Just wanted to make a quick writeup how to use the new DES KPA cracking mode.

An interessting example, I thought, would be how to retrieve the NTLM out of a captured NetNTLMv1 session. It doesn't matter if you were the server to enforce some challenge or if you sniffed it from the wire.

Note: The way we do it here will also work for cracking MSCHAPv2 or WPA2 Enterprise.

So, basically what we're looking in NetNTLMv1 is the challenge and a 24 byte bytestream. To get them you can use metasploit or other tools, but I don't want to focus that here. For details how to get them, check out this page: https://crack.sh/mschapv2.html

You end up in a string that looks like the following: $99$ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=

First we need to decode the base64, remove the $99$ signature and do this:

The first 8 byte are the challenge, which will be our data part in the DES cracking later.

The next 16 byte are 2 of 3 DES encrypted messages. If we manage to crack both of them we can reconstruct the NTLM out of it. This is our goal and it's guaranteed, it will just take some time.

The next 2 byte is the decrypted message of the third DES message. So yes, this one is already cracked, which was possible because the search space is pretty small (0x10000). We don't need to crack this anymore. Note: This will be the last 2 byte of the final NTLM.

Now, to hashcat. We want to crack CT1 and CT2. Luckily, both have been generate with the same plaintext message (challenge). This means that we can multihash attack them. We will crack both for the price of one. From a math perspective, the keyspace to search is 2^56, not not 2*(2^56).

To make use of hashcat's DES KPA cracking with just need two informations. The ciphertext and the plaintext. Both must be exactly 8 byte. Both need to be given in hex notation. So the hashes look like this: